Router and WiFi AP in Fedora Server 30

Hello!

I am trying to set up a small WiFi router with access point in Fedora 30.

The router has the following installed:

  • dnsmasq
  • unbound
  • hostapd

I am using iptables for managing the firewall and setting the forwarding of traffic. firewalld is masked.

Routing, DHCP, and DNS all work well on the wired interfaces (there is a public wired interface, and an internal wired interface), but wireless clients can not communicate with any node on the local network or the Internet (even ping / ICMP fails as though there is no connection). These wireless clients are given IP addresses by the server, but they can’t talk to other hosts, and other hosts on the LAN can’t talk to them either.

I have turned off hostapd temporarily as I have been unable to get it to start while wpa_supplicant is running. If wpa_supplicant is not running, the wireless adaptor on the AP does not get an IP address (even if I have a file set for it in /etc/sysconfig/network-scripts/, and in that case, hostapd starts but throws an error when the client tries to connect via wifi (it basically says received connection on interface [name here], but it does not have an IP address).

I have had a similar set-up working well with Fedora 27 for quite some time, though it went coo coo after a power outage. So I am re-building the wifi router now, with mixed results. hostapd worked well before.

I think the problem could be that the way network interfaces are handled in the most recent versions of Fedora means I have to do things somehow differently than before, though I’m not sure exactly how I should be doing things differently.

On my old server, I did not use network-manager and had ‘NM_CONTROLLED=no’ set in the interface config files in network-scripts. On Fedora 30, my wireless interface appears after ‘ip -c a’, but does not have an IP address unless wpa_supplicant is running (I can’t quite remember if I’ve tried it with wpa_supplicant off, and the interface file set with ‘NM_CONTROLLED=no’ – I should try that next.

Given the move away from network-scripts, and toward NetworkManager, I have tried my best in using nmcli and nmtui to configure my interfaces and to create and manage a NetworkManager connection on the server for the wireless AP. There is no X or Wayland GUI on this machine. The wireless connection profile is set with ‘Mode=Ap’, and type of ‘wireless’. I backed up the configuration file in network-scripts for the interface and moved it to another directory, as it appears that is the only way to manage wireless interfaces now (no config file for the interface, but a config file for a connection associated with it.

I think those are all the pertinent details. I feel that I am incredibly close to having this all working properly, but am missing one tiny detail in my set-up. Might anyone have any clues for me that would help me sort it? Basically, I’m just trying to get a functioning wireless AP set up at this point – the rest is all working.

At this point, I have spent many hours on this project, but feel I’ve now run into a wall. :confused:

Thank you for any help you may be able to provide!!!

2 Likes

Please, collect the runtime diagnostics from the Fedora router:

ip address show; ip route show; ip rule show
sysctl -a net 2>/dev/null | grep -e forward
sudo iptables-save

As well as persistent hostapd, wpa_supplicant and other related configs.

You can perform testing with temporary disabled SELinux:

sudo setenforce 0

Also note the following as it should be more or less relevant if you do not have virtualization installed:

Hi. Thanks for your help!

The information you asked for is below, with sensitive information removed.

I have enabled forwarding in sysctl.conf. SELinux is disabled for now, while I troubleshoot this problem.

[root@router ~]# ip address show; ip route show; ip rule show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp17s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether [mac] brd ff:ff:ff:ff:ff:ff
    inet [private ip].2/24 brd [private].255 scope global enp17s0
       valid_lft forever preferred_lft forever
    inet6 [mac] scope link 
       valid_lft forever preferred_lft forever
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether [mac] brd ff:ff:ff:ff:ff:ff
    inet [public ip]/26 brd  scope global dynamic noprefixroute enp0s25
       valid_lft 83654sec preferred_lft 83654sec
    inet6 [private] scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether [mac] brd ff:ff:ff:ff:ff:ff
    inet [private ip].1/24 brd [private].255 scope global noprefixroute wlp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::[private ip] scope link noprefixroute 
       valid_lft forever preferred_lft forever
default via [gateway ip] dev enp0s25 proto dhcp metric 100 
default via [private ip].1 dev wlp1s0 proto static metric 600 
/26 dev enp0s25 proto kernel scope link src [public IP] metric 100 
/16 dev enp17s0 scope link metric 1002 
[private].0/24 dev enp17s0 proto kernel scope link src [private ip].2 
[private].0/24 dev wlp1s0 proto kernel scope link src [private IP].1 metric 600 
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

[root@router ~]# sysctl -a net 2>/dev/null | grep -e forward

net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.enp0s25.bc_forwarding = 0
net.ipv4.conf.enp0s25.forwarding = 1
net.ipv4.conf.enp0s25.mc_forwarding = 0
net.ipv4.conf.enp17s0.bc_forwarding = 0
net.ipv4.conf.enp17s0.forwarding = 1
net.ipv4.conf.enp17s0.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wlp1s0.bc_forwarding = 0
net.ipv4.conf.wlp1s0.forwarding = 1
net.ipv4.conf.wlp1s0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.enp0s25.forwarding = 0
net.ipv6.conf.enp0s25.mc_forwarding = 0
net.ipv6.conf.enp17s0.forwarding = 0
net.ipv6.conf.enp17s0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wlp1s0.forwarding = 0
net.ipv6.conf.wlp1s0.mc_forwarding = 0

iptables rules:

*nat
:PREROUTING ACCEPT [6:240]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:228]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp0s25 -j MASQUERADE
COMMIT
# Completed on Wed Sep 25 15:21:52 2019
# Generated by iptables-save v1.8.2 on Wed Sep 25 15:21:52 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:748]
-A INPUT -i enp17s0 -j ACCEPT
-A INPUT -i wlp1s0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlp1s0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i enp17s0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i enp0s25 -o wlp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlp1s0 -o enp0s25 -j ACCEPT
-A FORWARD -i enp0s25 -o enp17s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp17s0 -o enp0s25 -j ACCEPT
-A FORWARD -i enp0s25 -o wlp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlp1s0 -o enp0s25 -j ACCEPT
COMMIT

hostapd.conf:

ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

# Some usable default settings...
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0

# Uncomment these for base WPA & WPA2 support with a pre-shared key
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
#rsn_pairwise=CCMP

# DO NOT FORGET TO SET A WPA PASSPHRASE!!
wpa_passphrase=secretpasswordhere

# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211

# Customize these for your local configuration...
interface=wlp1s0
#hw_mode=
channel=7
ssid=mywifinetwork

hw_mode=g
ieee80211n=1
1 Like

This route doesn’t look correct.
Remove the gateway parameter from the wlp1s0 interface.

Either use different subnets for these interfaces, or bridge them together for one subnet.

2 Likes

You are brilliant, vgaetera!

Thank you so much for finding and telling me my errors.

I removed the gateway parameter from my wireless AP NetworkManager connection.

Then I edited that wireless AP connection to also use a different subnet. After doing that, I had to edit the dnsmasq configuration to provide DHCP leases on the additional net that I just put my wireless connection on.

After making those changes, I brought the wireless connetion down with nmcli, and back up again. Then I tried connecting from my laptop to the router via WiFi, and voila! It worked!!

My eyes were crossed from working on this for so long and I did not realise I had a default gateway set for the wireless connection. I also did not know that I needed to have the two internal interfaces on the router (wired LAN and wireless LAN) on two different nets – that was a critical piece of this puzzle I just did not know I needed to do.

I have spent so much time working out little issues with this set up, but it was worth it. I have a re-built and fully functioning WiFi router using more modern kit (especially the NetworkManager stuff).

One of my hunches about this turned out to be correct – hostapd is no longer needed if one is using NetworkManager to manage their wireless AP. Not only is hostapd unnecessary, getting it working would likely require pulling apart NetworkManager and wpa_supplicant, which would probably bring other complications as well. So hopefully, that information and the other bits we’ve covered in this thread help others who might have the same problems in the future.

When I get my blog back up one of these days, I will write a blog article detailing how I’ve set all this up. There are a bunch of blog posts online about building a router or WiFi AP with Ubuntu, but I could not find even one that describes how to do so with Fedora or CentOS.

Thank you, thank you, thank you again! :slight_smile:

2 Likes